goldfishlaser
commented
2 months ago @Anubi5x0 why are you posting that link here?
Open goldfishlaser opened 2 months ago
goldfishlaser
commented
2 months ago @Anubi5x0 why are you posting that link here?
VanDavv
commented
2 months ago Please do not click on a link above! This is a scam and some kind of bot!
Infected my issue:
https://github.com/evershopcommerce/evershop/issues/605
and is infecting other repos as well!
https://github.com/walt-id/waltid-identity/issues/722 https://github.com/csgroup-oss/sharinghub-server/issues/11 https://github.com/samie/Idle/issues/11 https://github.com/AZPixel-Team/Java2Bedrock/issues/4617 https://github.com/cnk3x/xunlei/issues/184 https://github.com/idaholab/moose/issues/28493 https://github.com/internxt/drive-desktop/issues/511 https://github.com/BusKill/usb-a-magnetic-breakaway/issues/11 https://github.com/jOOQ/jOOQ/issues/17148 https://github.com/meilisearch/meilisearch/issues/4902 https://github.com/conda/conda/issues/14197 https://github.com/kubernetes-client/java/issues/3668 https://github.com/AdguardTeam/AdguardFilters/issues/187484
goldfishlaser
commented
2 months ago Thanks @VanDavv I reported it. I was 99.9% sure it was phishy but I only asked in case there was some sort of explanation...
maltfield
commented
2 months ago Previously, I had the practice of continuously including my STL files during development. STL files are a type of compiler output and therefore have unreadable diffs that make them poorly suited for version control. Plus, it hasn't been a great way to manage the files. Already we had an issue where I changed some stl name or something and it broke a link.
I received advice to add STLs only during a release. So I would like to build a release. @maltfield How shall we go about it?
@goldfishlaser my concern about STL files isn't just that they're annoying, but that they could be malicious
As shown in the link above, STL files have been found in at least 1 case to be able to trigger a heap buffer overflow.
We need to find a way to mitigate this risk. Including potentially-malicious files in releases (as opposed to the sources) doesn't mitigate this risk at all.
I changed some stl name or something and it broke a link.
Unrelated, but this is solved by linking to the file at a specific commit, as opposed to the file at HEAD.
maltfield
commented
2 months ago @VanDavv I'd be very curious to read some write-up about how it infected GitHub issues...
VanDavv
commented
2 months ago I'd be curious as well, I tracked down the latest activity feed for this account and went onward to warm people around about this, as well as reported to GitHub as urgent. I think GitHub took an action already as comment in my issue as well as other comments of this guy are already gone. Must admit, it's first time I saw something like this...
Best of luck! ❤️
goldfishlaser
commented
2 months ago @maltfield so you are worried that an attacker potentially compromises my OpenSCAD program so that when I create an STL it has malicious code in it? Or some sort of interloper in the middle swapping out my stl with a malicious one?
Because your example involves someone doing this on purpose.
maltfield
commented
2 months ago @maltfield so you are worried that an attacker potentially compromises my OpenSCAD program so that when I create an STL it has malicious code in it? Or some sort of interloper in the middle swapping out my stl with a malicious one?
Because your example involves someone doing this on purpose.
Yes, I am worried about your own devices being infected such that it is exploited by an attacker to inject malicious files into the BusKill repo in order to infect BusKill users.
goldfishlaser
commented
2 months ago What do you have in place to sanitize image files?
maltfield
commented
2 months ago What do you have in place to sanitize image files?
I use qvm-convert in Qubes, and I recommend Dangerzone for most other people. Please see the other ticket for the feature request that I opened with Dangerzone to add STL file support.
Please read the other ticket about methods to mitigate potentially malicious STL files. I mentioned this in the OP as potential solution number 2.
goldfishlaser
commented
2 months ago Ah I missed that that did images. But I didn't miss why it can't support stl, because of how it works.
Anyways that's to protect you if you're opening a malicious file, it doesn't scan / detect anything for uploading to a repository.
On Thu, Aug 29, 2024, 16:47 Michael Altfield @.***> wrote:
I use recommend qvm-convert in Qubes, and I recommend Dangerzone for most other people. Please see the other ticket for the feature request that I opened with Dangerzone to add STL file support.
— Reply to this email directly, view it on GitHub https://github.com/BusKill/usb-a-magnetic-breakaway/issues/11#issuecomment-2318954165, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAER7EA6RREVETJSMZH4S5DZT6CETAVCNFSM6AAAAABNKTGMT2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJYHE2TIMJWGU . You are receiving this because you were mentioned.Message ID: @.***>
goldfishlaser
commented
2 months ago You're effectively blocking me from contributing to this project out of fear that I have some sort of OpenSCAD zero day lol. It's starting to just not be worth my time.
If anyone wants the files visit my fork.
On Thu, Aug 29, 2024, 16:58 Melanie Allen @.***> wrote:
Ah I missed that that did images. But I didn't miss why it can't support stl, because of how it works.
Anyways that's to protect you if you're opening a malicious file, it doesn't scan / detect anything for uploading to a repository.
On Thu, Aug 29, 2024, 16:47 Michael Altfield @.***> wrote:
I use recommend qvm-convert in Qubes, and I recommend Dangerzone for most other people. Please see the other ticket for the feature request that I opened with Dangerzone to add STL file support.
— Reply to this email directly, view it on GitHub https://github.com/BusKill/usb-a-magnetic-breakaway/issues/11#issuecomment-2318954165, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAER7EA6RREVETJSMZH4S5DZT6CETAVCNFSM6AAAAABNKTGMT2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJYHE2TIMJWGU . You are receiving this because you were mentioned.Message ID: @.***>
maltfield
commented
2 months ago You're effectively blocking me from contributing to this project out of fear that I have some sort of OpenSCAD zero day lol.
The risk isn't just OpenSCAD. It's your whole endpoint. I'm afraid you're not grasping the surface area of risk. I am especially concerned because you just came back from DEF CON.
Please read-through some of these historic examples of supply chain compromise that have affected other open source projects in the past decade +.
The users of BusKill are especially vulnerable people who have very powerful adversaries. I take the risk of supply chain vulnerabilities very seriously.
Fortunately, OpenSCAD files are not a risk (because it's feasible for a human to read their diff). I don't see how this blocks you from being able to contribute to BusKill.
goldfishlaser
commented
2 months ago STL files are not really a risk either.
On Thu, Aug 29, 2024, 17:03 Michael Altfield @.***> wrote:
The risk isn't just OpenSCAD. It's your whole endpoint.
Please read-through some of these historic examples of supply chain compromise that have affected other open source projects in the decade.
- https://github.com/cncf/tag-security/tree/main/community/catalog/compromises
The users of BusKill are especially vulnerable people who have very powerful adversaries. I take the risk of supply chain vulnerabilities very seriously.
Fortunately, OpenSCAD files are not a risk. I don't see how this blocks you from being able to contribute to BusKill.
— Reply to this email directly, view it on GitHub https://github.com/BusKill/usb-a-magnetic-breakaway/issues/11#issuecomment-2318992140, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAER7EBB3WP5OWR3KNDCYD3ZT6ED3AVCNFSM6AAAAABNKTGMT2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJYHE4TEMJUGA . You are receiving this because you were mentioned.Message ID: @.***>
maltfield
commented
2 months ago STL files are not really a risk either.
Doubling-down on ignoring risk when I've pointed-out a 8.8/10 severity CVE that caused heap buffer overflows in 2022 does little to inspire confidence :(
goldfishlaser
commented
2 months ago A single program with poor memory management getting exploited and then patched does not indicate we should distrust all stl files. Somehow, hundreds of other security-concerned projects still allow stl files in their repos.
It's not that I'm against finding a way to do forensics on stl files as a rule. i just disagree that its urgent right now to the point of not letting me add STLs to releases for people's use. I don't think it's realistic to think that the threat of someone targeting my or other contributors open scad installations to make it compile steganographically attacked stl files with the goal of worming into your app is large enough to justify the cost.
I didn't bring my laptop to DEFCON and I had my phone locked down (I only used it for a couple selfies) or in a faraday bag. I used an ephemeral OS on a burner laptop for my presentation.
So yeah, if people want the STL files they can come to my fork.
On Thu, Aug 29, 2024, 17:13 Michael Altfield @.***> wrote:
STL files are not really a risk either.
Doubling-down on ignoring risk when I've pointed-out a 8.8/10 severity CVE that caused heap buffer overflows in 2022 does little to inspire confidence :(
— Reply to this email directly, view it on GitHub https://github.com/BusKill/usb-a-magnetic-breakaway/issues/11#issuecomment-2319012059, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAER7EFTNA2NYMNCZWBJRXLZT6FHHAVCNFSM6AAAAABNKTGMT2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMJZGAYTEMBVHE . You are receiving this because you were mentioned.Message ID: @.***>
maltfield
commented
2 months ago @goldfishlaser are your STL files reproducible?
goldfishlaser
commented
2 months ago This seems to refer to a system not to a particular file or file type
On Fri, Aug 30, 2024, 10:47 Michael Altfield @.***> wrote:
@goldfishlaser https://github.com/goldfishlaser are your STL files reproducible https://reproducible-builds.org?
— Reply to this email directly, view it on GitHub https://github.com/BusKill/usb-a-magnetic-breakaway/issues/11#issuecomment-2321492501, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAER7EEOVLWJU2UMNGNHOKTZUCAWRAVCNFSM6AAAAABNKTGMT2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGMRRGQ4TENJQGE . You are receiving this because you were mentioned.Message ID: @.***>
maltfield
commented
2 months ago This seems to refer to a system not to a particular file or file type
@goldfishlaser please generate your STL file on two distinct computers. Generate a sha256sum hash of the STL files generated on the two distinct computers, and add the sha256 hash values (output of sha256sum) to this ticket.
maltfield
commented
2 months ago @goldfishlaser were you able to test to see if your .stl files are reproducible?
If they are deterministic, then we can distrust the infrastructure and create a safe process to add them to the releases.
goldfishlaser
commented
2 months ago I don't have access to one, let alone two computers set up with openscad at the moment.
Expected resolution time unknown.
maltfield
commented
2 months ago @goldfishlaser Can you please share the instructions/steps for generating an STL file?
I also only have one machine, but I run VMs on it, so can test reproducibility for you.
goldfishlaser
commented
2 months ago I said have access to 0 computers to do this, not 1. Technically, I have a laptop running off live usb, but I dont have enough available diskspace on it to download an iso or run VMs because of a mistake I made, and I can't correct the mistake while under such limitations either. All I can do with it is browse the internet and download small files.
I don't have enough space to clone the repo, so I can't make a new PR for an indeterminate amount of time. So you'll have to get the openscad file from my fork or just pick a random scad file.
Just open the file, select the render icon, select the STL icon. Voila.
See OpenSCAD docs for more.
On Tue, Sep 10, 2024, 9:57 AM Michael Altfield @.***> wrote:
@goldfishlaser https://github.com/goldfishlaser Can you please share the instructions/steps for generating an STL file?
I also only have one machine, but I run VMs on it, so can test reproducibility for you.
— Reply to this email directly, view it on GitHub https://github.com/BusKill/usb-a-magnetic-breakaway/issues/11#issuecomment-2340891254, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAER7EGUQZSQXS5ARY5P47TZV33EZAVCNFSM6AAAAABNKTGMT2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDGNBQHA4TCMRVGQ . You are receiving this because you were mentioned.Message ID: @.***>
Previously, I had the practice of continuously including my STL files during development. STL files are a type of compiler output and therefore have unreadable diffs that make them poorly suited for version control. Plus, it hasn't been a great way to manage the files. Already we had an issue where I changed some stl name or something and it broke a link.
I received advice to add STLs only during a release. So I would like to build a release. @maltfield How shall we go about it?